Revision as of 13:33, 5 June 2006

There are a number of tools to aid the wily application security assessor. By far the most relevant to this type of security assessment are local proxies and web/application spiders. To complete the full set of WebGoat lessons a web-proxy will be required.

Application Assessment Proxy

A normal web-proxy typically receives, processes and forwards HTTP and HTTPS traffic between the client and server. This is normally to provide a single point through which all web traffic passes – for example to monitor usage, improve performance through caching or apply security policies.

An application proxy tool is designed to intercept all HTTP and HTTPS communication between the local client browser and the server-side. It acts as a man-in-the-middle where all interaction may be monitored, reviewed and (importantly) modified.

Through such a tool, the assessor can determine exactly what data is passed between the Client and Server. Furthermore, they may analyze and modify the data in order to test the impact of the application.

It is essential for many of the lessons within WebGoat that an application assessment proxy, or software with equivalent functionality be used.